At the end of 2010, we saw a resurgence of some vintage tactics spammers used three or more years ago to bypass content-based spam filters. In particular, three old ploys were revived for use in conjunction with newer trends (like falsifying alerts from social networking sites) for some fresh spam tactics, as seen in the Commtouch Q4 2010 Internet Threats Trend Report.

The first all-too-familiar tactic spammers revived in recent months is the use of hidden text. Fonts are shrunk down as small as possible and changed to white so as to make them invisible to the reader over an email background. Random typing that’s invisible to the eye but visible to spam filters is inserted in the middle of words that are standard red flags to Bayesian, heuristic, and other content-based spam filters. To the recipient, words simply appear to have sporadic, erroneous spaces in them; to the spam filter, however, those spaces are actually several characters, making the words unrecognizable, and therefore not cause for a block or re-direct into a junk mail folder.

A second tactic seen again at the end of 2010 after some time is the use of Google’s cache tool to sneak spam website links past content-based anti-spam technology. Google is, by default, a white-listed, or acceptable, domain to most spam filters. By going to a website through Google’s cached version link, the resulting URL begins with the Google domain name. By turning this URL into a hot link in an email, many spam filters are accepting, while the recipient is still taken to the spammer’s intended address via a typically seamless redirect.

The third vintage spam tactic enjoying new life since the end of 2010 is known as ASCII art. This refers to the careful arrangement of computer characters (letters, digits, and symbols) to form a larger representation of an image. Just type “ASCII art” in as a Google image search to see plenty of impressive examples. Using ASCII art, spammers can create representations of letters and words without actually typing those words. Hence, content-based spam filters remain unaware of the words and phrases that a human reader will see.

These revived spam tactics underscore the ongoing need in 2011 for an email security system that doesn’t rely solely on content-based methodologies. Effective spam filtering products have a multi-tiered approach that evaluates the validity of an incoming email message based on a variety of factors.

Perhaps you’ve been staggering around, drooling, staring off into space, and pawing without coordination at miscellaneous objects within your reach. Perhaps you’re a zombie. Perhaps it’s Monday morning, Jim’s still lurking around the coffee pot, and the idea of discussing your weekend with Jim makes you twitch with sensations of oncoming spontaneous combustion, so you haven’t had your coffee yet. Perhaps I’m already getting way off-topic and thinking about the wrong sort of zombies.

Many people assume that spam’s primary purpose is to sucker you into buying supplements that will fail to make any of your various organs grow larger. But a significant chunk of the spam circulating out there in the email ether has one directive: hijack new email accounts to proliferate the spread of more spam. Computers taken over in this way become part of what’s known as a robot network, or botnet, and are often referred to as “zombies.”

Spammers commonly use spam messages to bring more random, under-protected email accounts into the ranks of their zombie armies. Many botnets are comprised of tens or hundreds of thousands of the millions of home and business computers that have been compromised, and they are the source of the overwhelming majority of all spam, as the Federal Trade Commission reported in a recent consumer alert.

Your home or office computers can be turned into botnet zombies without your ever knowing. There are a few indications that may arise, including a significant slow-down in the machine’s performance, mysterious emails stored in your sent-mail folder, or baffling complaints about the spam “you” have been sending lately. However, even if you find out that spammers have hijacked your email account, damage was likely already done.

The leading anti-spam email protection technologies today make use of a method known as IP address reputation filtering. Basically, they keep track of what email accounts at specific IP addresses are up to, identifying those that act legitimately and those that act according to spammer patterns. Reputations are thus established for IP addresses, and spam filters consider a sender’s trustworthiness when deciding whether an incoming message is spam. If your home or business computers become zombies, you’ll eventually develop a bad reputation and your emails will be bounced or sorted into spam folders. Consequences can range from slightly inconvenient to completely devastating for personal and professional email uses alike.

As a zombie, your computer may also give a spammer access to files stored within and email addresses in your contact lists. “You” may suddenly start sending your recovering gambling addict boyfriend emails promoting online casinos, or encouraging your grandmother to start purchasing her life-saving medications directly from some guy in a barn in Bolivia. Imagine the interesting interactions you’ll have when your work email account starts sending special offers to your boss and your client roster. You may also find that your host or ISP isn’t particularly happy with you, which can result in your website being shut down or your internet account cancelled.

Being a zombie is so often glorified, what with getting to eat brains and all. But when your computer is taken over by a spammer and hooked into a botnet, life as a zombie can be a lot less glorious. Usually, all it takes is one wrong click. Be on guard, educate your employees about spam threats and signs of malware infection, and invest in up-to-date anti-spam filtering.

Whether the message invites you to view someone’s webcam, prolong your erection, or watch “young girlz get raped,” adult content spam is becoming increasingly explicit, graphic, and offensive. It’s also becoming more common. Spam email accounted for 85 percent of all email, or 134.3 billion messages in November 2010, according to Cisco IronPort SenderBase Security Network. Considering adult content spam accounts for nearly six percent of that 134.3 billion, there is a tremendous amount of porn staring the average unprotected email user in the face.

How does that affect your organization?

Whether your organization is large or small, adult content spam is much more than a nuisance: it decreases employee productivity and morale, wastes resources, and may expose you to legal liability. Employers of all sizes have been found liable for failing to protect their employees from sexual or otherwise offensive electronic images and preventing inappropriate email usage.

Imagine this scenario: One of your employees, Steve X, arrives at your company on a Wednesday morning, eager to begin his day. He boots up his computer and signs into his email, just like any other morning. On this day, however, he opens an email message containing obscene text and the pornographic image of a young-looking girl. Steve X, being devoutly religious and the father of a 15-year-old girl, is extremely offended. In fact, he is sickened and outraged.

Scenarios like the one above occur frequently, with more than 25% of workers receiving offensive or sexually explicit emails on a regular basis, according to Michael R. Overly, an attorney and Certified Information Systems Security Professional. When an employee is subjected to disturbing messages and images, especially when it happens repeatedly, your company can be held liable for sexual harassment due to a hostile work environment.

Sexual harassment? Because of spam emails?

Yes. Employers who fail to protect their employees from a hostile work environment created by sexually explicit and offensive spam emails can be found indirectly liable for sexual harassment. While direct liability generally results when a supervisor sends sexually offensive text or images directly to a subordinate, indirect liability results when an employer fails to take all possible steps to secure the safety and comfort of his employees. If one or more of your employees has complained about sexually explicit spam emails and you did not take immediate steps to prevent future problems, your employee can sue you.

Fortunately, you can help protect yourself and your organization from liability by proactively working to minimize emails threats. By taking action, you can avoid or strongly mitigate any liability you may potentially face if one of your employees decides to sue.

* Develop a comprehensive email policy that outlines your organization’s position against sexual harassment and lists examples of inappropriate conduct. Distribute this policy to every employee and display it in highly visible areas of your workplace. Include a disclaimer and warning that employees using the Internet do so at their own risk.

* Provide training for all employees at all levels of your organization. Instruct your employees on the best methods of responding to offensive email messages and make reporting such messages as simple as possible.

* Use spam filtering technology and other up-to-date email security products to ensure your employees and your organization are protected at all times.

The time and money needed to protect your employees and organization from spam is trivial compared to the potential legal and financial risks posed by adult content spam.

Because there are no barriers to entry, spammers and scammers are free to set up Facebook accounts to spread malware and phish for valuable information. In addition, Facebook is so user-friendly, people with no internet know-how or computer savvy join and participate. This stocks the social networking site with potential targets who lack the appropriate caution and skepticism about unknown links and messages, making it a particularly appealing place for cybercriminals.

The problem is so rampant the Detroit Free Press labeled Facebook “a veritable cesspool of spam.” In recent times, spammers have tried links that allegedly identify profile stalkers, show top-secret photos of Osama bin Laden’s body, and add a dislike feature to user accounts. Spammers even resort to mimicking anti-spam measures, with new fraudulent links claiming to be a way to verify the user’s account so spam accounts can be found and deleted.

With its growing reputation as a prime hunting ground for cybercriminals, Facebook just unveiled new safeguards to protect its users. One such measure is an integration of Web of Trust. This service relies on user ratings of websites from its community to determine whether websites are trustworthy. You can look up specific sites at http://www.mywot.com, or add software to your browser to stay informed about websites while you surf the web. Now, Web of Trust technology is available as a Facebook add-on, warning users about untrustworthy links posted on the site.

Facebook also implemented new clickjacking preventions that identify links on the site that claim to go somewhere they do not. When users click such links, a warning box pops up, giving the option to cancel or confirm the click. There is also a new layer of protection for users attempting to copy a malicious link from the site into their browser’s address bar. A pop-up box warns that the URL appears to contain dangerous code.

In an attempt to cut down on hacked accounts, Facebook added an optional safeguard for when accounts are accessed from unusual locations. Users can opt in to the service, which sends a confirmation code to the mobile device attached to the account whenever someone tries to log on from an unknown computer. Internet security experts recommend signing up, which can be done through your account settings.

Remember, though, that no matter what Facebook and other social networking sites do to protect you from spammers and scammers, cybercriminals always find a workaround or new tactics. The best defense is simply common sense and a healthy skepticism.

When you’re unsure about something a friend posted, ask them if it’s legitimate before clicking. Read the comments below links before clicking, as other users often warn about malicious posts before the item is deleted. Be wary of shared links that seem uncharacteristic of a friend, or that nobody comments on even though they seem comment-worthy. Never attempt to make changes to your account through links posted on your homepage or friends’ walls. Make all such changes via your account settings and privacy settings links.

The computer scientists from the University of California who made news in 2008 for determining that one in 12.5 million spam email messages yielded a sale are at it again. The team, comprised of staff from UC, Berkeley and UC, San Diego, believes they have found a viable way to end spam for good.

In recent times, we’ve witnessed increasing prosecution of spammers and cyber criminals, as well as more significant action against spam affiliate programs and computer networks. Most notably so far this year, the world’s most prolific botnet, Rustock, was taken offline in March by a cooperative effort between such unlikely partners as Microsoft, U.S. Marshals, Pfizer, Dutch law enforcement, and the University of Washington.

While it feels good to cheer on these anti-spam assaults, there’s no denying they are ultimately a losing battle. The holes left in spam networks invariably turn into vacuums quickly filled by other spammers. Such efforts ultimately amount to bailing water out of a sinking ship while ignoring the leak.

The reality is that spam will continue as long as it remains profitable. And though spam may seem laughable and pointless to you and me, it often turns a nice profit for successful spam entrepreneurs.

Almost three years ago, the team of UC computer scientists released their findings on spam success rates. The results were determined by hijacking the Storm botnet, one of the biggest and baddest botnets at the time. After infiltrating the botnet, they simply used it to do what it did best: send out massive quantities of spam. The team discovered that one in 12,500,000 spam emails got a response.

And while that does not sound too impressive, sending spam is an almost entirely automated process that costs practically nothing. More importantly, spammers are able to distribute spam in staggering quantities. In 2010, botnets sent out an average of 71.1 billion spam emails a day, according to the MessageLabs Intelligence 2010 Annual Security Report. Most of it originated from the 10 leading botnets. So, with one of every 12.5 million making a sale, that comes to 5,688 sales daily.

The UC researchers also found during their 2008 experiment that the average sale was for $100. To further extrapolate, that means botnets generate $568,880 a day in sales. That works out to almost $208 million a year.

Now, instead of peddling spam, the UC computer scientists welcomed as much of it as possible into their inboxes. For three months, they received it and opened it all. Then, to add to the insanity, they systematically made purchases from the websites advertised in the junk emails. You can read the full paper they published on their research’s purpose, methods, and findings at http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf.

The team ignored the already extensively studied aspect of spam distribution. Instead, they set out to identify a “bottleneck” in the process of monetizing spam. This refers to a behind-the-scenes step in the financial process where spammers have such limited options that their ability to make money could reasonably be disrupted.

They located such a step. They found that only three financial companies processed 95 percent of the credit card transactions with which they purchased spam-advertised pharmaceuticals and supplements. These three companies are based in Denmark, Azerbaijan, and the West Indes.

Of course, it’s not possible to prevent every financial institution around the globe from handing money over to spammers. The international community could certainly put pressure on these companies to stop facilitating the exchange of money between online shoppers and spammers. This would take time, however. And in that time, spammers would find alternatives.

It is more practical to stop credit card issuers from settling transactions with financial companies that deal with spammers. If Western banks refuse to settle payments with banks determined to support the spam infrastructure, spam would instantly become almost entirely demonetized. The UC team also asserts that a financial blacklist of spam-supporting financial institutions can be easily established and kept up-to-date.

It will certainly prove challenging to make such a plan reality. But if it can be set in motion, spam might be rendered unprofitable and as useless as it is annoying. It remains to be seen how Western banks and politicians will respond to the information and suggestions put forth by the UC computer scientists. Still, it’s reassuring to know there is a possible light at the end of the tunnel.

With the combining of two of today’s most significant spam trends — targeting social network users and sending pharmaceutical spam — Google+, which is Google’s new social networking site, has joined the ranks of brands spoofed by spammers. Email messages from Google+ are now being fraudulently replicated in a major spam campaign.

The spam emails in question resemble legitimate messages a person may receive from a friend who uses Google+. The messages, which invite the recipient to check out the new social networking site, have subject fields like “Welcome to the new Google+ project.” The body of the spam contains a welcome, a default silhouette-style profile picture, and an invitation to view or comment on the fake user’s activity on the site. It then has a blurb about the site still working out some kinks and a large button to “Learn more about Google+.”

These spam messages are relatively well written by spam standards, mostly lacking the usual typos and spelling and grammatical errors. They appear to be written by a native English speaker, and they contain a realistic footer that includes the Google+ logo and an option to unsubscribe from further contact.

While this is the first large-scale spam campaign exploiting the Google+ brand name, it is not surprising, nor will it be the last. Social networking sites are some of the most-targeted by spammers, phishers, and other cybercriminals. Month after month, Facebook appears on the top 10 list–often even in the top 5–of websites most often targeted by phishers.

The current spam campaign is not particularly malicious. The emails seen so far simply redirect to websites selling pharmaceutical products, including spammer favorites such as Viagra, Cialis, and Levitra. Most are mock Canadian pharmaceutical websites, an all-too-familiar aspect of this category of spam. No malware or phishing ploys associated with this campaign have been reported as of this writing.

By the end of 2010, pharmaceutical spam accounted for more than 40 percent of all global spam in circulation. It remains the single most prevalent type of spam to this day.

You may wonder how many people who think they’re about to investigate a new social networking site will spontaneously decide to purchase pharmaceutical sexual enhancers or other drugs. Not many, to be sure. But a handful of recipients will undoubtedly buy something or at least bookmark the sites for future use. In large enough numbers, with spam messages sent out by the millions or even billions each day–at no cost to the spammers–a few emails will invariably be successful, yielding a profit.

If you receive an email purporting to be from Google+, or any other social networking site, always verify that it’s from somebody you know and confirm that it was sent to you with his or her knowledge. Though the current spam campaign contains nothing more than an annoying redirect, new campaigns spoofing Google+ will certainly arise in the near future that contain malicious files and attempts to phish personal information.

A massive fake IRS spam email campaign is currently delivering the Zeus Trojan horse onto domestic hard drives. Zeus, primarily an engine for financial fraud, has been plaguing the public since 2007. In a spam campaign that’s been going on through the latter half of June, email users are now downloading the malware contained in mock tax-related messages.

Experts note that the malicious messages are relatively well written, by spam standards. Still, some of the spelling and grammatical errors typical to spam written by non-native English speakers are present.

The messages appear to originate from the irs.gov domain, informing the recipient that there was some sort of problem processing their tax return payments. The subject line generally reads “Your IRS payment rejected,” “Federal Tax payment rejected,” or something similar. A PDF file is attached to the email.

The body of the email refers the recipient to the PDF for details about why their tax payment was problematic. Upon downloading the file, the user downloads the Zeus malware. Zeus uses keystroke logging, form grabbing and other tricks to gain access to private data such as credit card numbers, bank account information, and account passwords.

With the fear of an audit or entanglement with the IRS so well ingrained in the American psyche, this particular tactic is finding moderate success for a spam campaign. Such successes have built up the Zeus bot’s reputation over the past few years, making it one of the most infamous and dangerous malicious programs out there. It has been used in several dozen attacks and infected many millions of computers around the world.

Back in May, a version of the Zeus crimeware kit’s source code was leaked. It sprung up on numerous underground forums frequented by spammers, hackers, and cybercriminals. Previously only available at a steep price, the sudden availability of such malicious source code immediately worried internet security experts and cybercrime law enforcement agents. This latest fake IRS spam campaign may be the work of people who newly acquired the code.

Supporting this theory is the fact that there is a key mistake in the malware coding that gives researchers hope for determining who is behind the attack. While there are generally safeguards set in place to prevent the same person from repeatedly downloading the binary to collect samples for study, an oversight in the current campaign provides an easy loophole, facilitating study.

Like so many other spam campaigns today, the fake IRS emails make use of URL shortening. Typically, the spammers ensure that the same person cannot follow the shortened link pointing to the malware servers more than once. However, an oversight in the coding of this campaign allows the user to add on a special character to the end of the shortened URL, such as a plus sign or an asterisk, and follow the link to the malware servers repeatedly.

Thanks to this mistake, promising research is already underway to find those responsible for the latest attack of the Zeus bot. But spammers and cybercriminals usually prove resourceful. As word circulates about the specifics of the current spam campaign and the coding error, those behind the attack will no doubt alter their methods, change their servers, and clean up their code. Common sense and caution remain the public’s best chance at avoiding infection by Zeus or other malware.

Here at MX Police, we’re seeing a recent bout of spam pretending to represent a cease and desist letter for copyright infringement. The email, signed by a “Senior Legal Advisor,” accuses the recipient of illegally reproducing a certain website’s content without permission. The email goes on to make three demands:

1. remove all infringing content and notify us in writing that you have done so;
2. pay a licensing fee in the amount of 160,000 USD;
3. immediately cease the use and distribution of copyrighted material;

The email is filled with spelling, grammar, capitalization, and punctuation errors. It reads in several parts as if a non-native English speaker wrote it. This is a classic giveaway that an email is spam. Of course, it’s even more absurd considering the email is supposedly an official legal communication.

More specifically, the email betrays itself as spam with its obvious omissions. It fails to name the infringing website. The letter also neglects to identify particular content, either on the infringing site or on the site from which it was allegedly stolen. Such details would be included in a real copyright infringement takedown notice.

Then there’s the ridiculous demand for $160,000. While parties whose content is illegally reproduced are often entitled to monetary compensation, it certainly doesn’t amount to that much. Perhaps the spammers believe they can scare people enough with the threat of legal action into paying to make the problem go away, but it seems a more modest sum might have more luck.

The most amusing part of the spam is its sign-off:

Yours faithfully,
Senior Legal Advisor,
Andrew Lloyd

Because we’ve all gotten legal documents from attorneys signed “Yours faithfully” at some point. Or perhaps this is a sign of kinder, gentler corporate legal departments to come.

The website where the stolen content supposedly came from was already shut down by the time of this writing. There was undoubtedly another angle to the scam besides trying to score a quick $160,000. The site was probably set up for a phishing ploy. It may also have been a launching point for malware infection. Regardless, this seems like a good opportunity to review some basics of spam safety.

Never follow any link in an unsolicited email. You cannot trust such links to go where they appear to go or do what they claim to do. When visiting websites, type the URL into your browser’s address bar. Similarly, never open an attachment in an unsolicited email. Opening and executing attachments in spam is the best way to infect your computer and network with malicious files.

Reputable companies don’t ask for sensitive information, such as passwords, account numbers, or credit card numbers, via email. If you are unsure whether an email is legitimate, contact the apparent sender for confirmation. Don’t do this by replying to the message, of course. The best way to verify is over the phone, or by writing to a different, official email address.

If there’s no reason to believe there is any urgency, just ignore the email. If it is legitimate, you will receive a follow-up, either by email or by phone. Such a follow-up typically references previous attempts to contact you. While spam may be re-sent, it duplicates or closely resembles prior messages. However, be aware that some spam feigns urgency with non-specific mention of previous failed attempts to contact you. It usually insists that if the current attempt is unsuccessful, an account will be closed, you will be fined, or some other dire consequence awaits.

The best rule is to always err on the side of caution when dealing with spam. With anywhere from 80 to 90 percent of all global email traffic being spam at any given time, the odds are quite good that anything that doesn’t seem entirely right isn’t.

For years, spam output has increased exponentially, and for years, people have struggled with the question of how to stop it. Whether it’s new email filtering technology, legal action against spammers, or other measures, anti-spam efforts always had one thing in common: they sought to disrupt the spam distribution process.

Until now. A team of computer scientists from the University of California, Berkley and UC, San Diego think they’ve uncovered a way to strip spammers of the ability to receive payments, thus rendering the entire spam enterprise unprofitable.

These researchers are foremost experts on the intricate workings of spam infrastructure and economics. In fact, they coined the now-familiar term “spamalytics” to define their field of study. About three years ago, they infiltrated the infamous Storm botnet, just to send their own spam and find out how effective it is as an advertising tool.

This time, they turned off their spam filters and happily received as much unsolicited bulk email as possible. For three months, they went through it all, visited the advertised websites, and purchased drugs and herbal supplements through the sites.

One question springs immediately to mind: why?

The researchers closely observed the finance-related goings-on behind the scenes. To make a long, fairly complicated story short, it turns out that only three financial institutions in the world–one based in Azerbaijan, one in the West Indies, and one in Denmark–handled 95 percent of the credit card transactions.

This is exactly what the team was looking for. It represents a step in spam commerce where interference is not only feasible, it’s realistic. The researchers ultimately suggest that the best course of action would be for Western banks to stop settling online credit card transactions with financial institutions that deal with spammers.

The UC computer scientists reassure that these institutions are easy to identify, and that it would be quick and simple to maintain an up-to-date list. Spammers would therefore have to constantly be changing banks in order to receive any payments, which would ultimately be far too great an effort and far too slow a process, especially considering how limited their options already apparently are.

So, it would seem this new study hits on a potential means to eliminate the profitability of spam. While efforts to hinder spam distribution are perpetually met with countermeasures, this tactic would leave spammers with nothing to fight for. It will certainly be interesting to see what comes of the report, which can be read in full.

Kaspersky Lab’s recently released security report for April 2011 reveals a slight upswing in spam rates. Spam email messages accounted for 80.8 percent of global email traffic for the month, on average. This represents a 1.2 percent hike in spam rates over March. Rates were higher during the latter half of the month, making up 83.6 percent of circulated email.

Of the more noteworthy spam trends in April, eBay fell from second to fourth place on the list of websites most targeted by phishers. Almost half as many eBay users were targeted in April as in March. This yielded a 4.2 percent drop for eBay in total phishing spam. Facebook and the banking group Santander climbed ahead of eBay, to second and third most targeted websites by phishers. PayPal remained the most-targeted website, even though PayPal-related phishing spam fell to just under 39 percent, a 6 percent drop from March to April. Overall, phishing attacks rose 0.01 percent from March to April, accounting for 0.03 percent of global email traffic.

Malicious files were found in 3.65 percent of all email in April, representing a 0.43 percent increase over the previous month. It hit domestic inboxes most often, with the U.S. receiving more than 14 percent of spam containing malware, an increase of 1.93 percent from March. Russians were second most targeted, receiving more than 10 percent of spam with malware. Two new fake antivirus-related malicious files, Packed.Win32.Katusha.n and Trojan-Downloader.Win32.FraudLoad.hxv, appeared on the top 10 list of distributed malware, at first and fifth place, respectively.

As is standard for April, an array of spam email messages was spun with an Easter theme. Spam and scams offering flowers, jewelry, and other gifts for Mother’s Day were common as well. Topically, Prince William’s marriage to Kate Middleton appeared in spam messages. Offers for wedding souvenirs and replicas of Kate’s engagement ring were widespread. However, anti-spam vendors admit there was significantly less royal wedding-related spam than was forecast.

India remained the most significant source of spam from March to April, increasing its output 1.34 percent to 12.8 percent of global spam email. Brazil remained in second place, sending out 7.1 percent of all spam. Russia continued its descent down the list, from third to fourth place, being overtaken by South Korea in April. South Korea was the source of 6.1 percent of spam, and Russia 4.3 percent.

Since April, there is now the first documented case of “spam rage” in the U.S. Jeremy Clancy, a 28-year-old New York resident, reportedly cracked under the strain of all the spam he encountered on social networking websites. In one week’s time, he identified and located 23 individuals he believed responsible for his spam. He went to their homes at night and severed their internet cables. Police arrested him on the eighth such trip.